Data Controller and contact
The data controller is: Strapi Solutions SAS, a French company whose registered office is located 128, rue de la Boétie, 75008 France, registered on the commercial and company register of Paris under the number 823 487 855, represented by Mr. Pierre Burgy, its President (“Strapi”, “We” or the “Data controller”).
The Data is processed at the Data Controller's operating offices and in any other places where the parties involved with the processing are located.
128, rue de la Boétie
Email address: firstname.lastname@example.org
Legal basis of processing
The legal basis of Data processing by Strapi is:
- performance of the contract between Strapi and the User for the use of the Services when applicable;
The Services are provided through:
- The main Strapi Website - https://strapi.io
- The Strapi Community on Slack - https://slack.strapi.io
- The Strapi Studio – https://studio.strapi.io
The Data may be freely provided by the User or collected automatically when using the Services.
When the legal basis of Data processing is consent, Users can withdraw their consent at any time.
An unsubscribe link will be present in newsletters sent by Strapi to the Users.
Data We collect
Creation of a Strapi account and use of Services
To access our Services, you might have to create a User account. When you create an account, we collect your username, email address and password.
If you communicate on Strapi’s Slack account and use the Slack service, We will also have access to your job title and chat history.
We sometimes ask you for your feedback on our Services and, in such circumstances, you might accept to send us your comments on the service, first name, last name, job title, address and telephone number.
If you are a Premium customer, you also consent to the collect of your address, phone number, location, credit card information for the payment of the Services, your company name and job details.
Other Services available
If you visit the Websites and use other Services available such as:
- “Register to vote”;
- “Say hello to the user”;
- “Contact form”;
We sale items online to our community (such as stickers and tee-shirts).
You can purchase these items online on our website page: https://strapi.io/shop.
If you purchase an item, We will collect your contact details, address, phone number, location, credit card information and company name in order to deliver the goods.
You are responsible for any Data of third parties obtained, published or shared through the Services and confirm that you have the third party's consent to provide such Data to Strapi.
Purposes of the processing
We process the Data in order to:
- create a User account;
- deliver and improve our Services;
- provide you with any technical support you might need;
- communicate with you;
- generate and send invoices;
- comply with our legal obligations;
- send you information on the Services We offer;
- send you information about any change in our business activity;
- send you information on new Services We might offer;
- analyze your Data, allowing us to improve our Services and identify Services that might interest you;
- ask you for feedback on our Services.
The Data We collect can be accessible to:
- certain employees of Strapi working to provide you with the Services: our sales and commercial team, marketing team, accounting team;
- other Users of the Services for the following Data: username, email, password, job title, chat history;
The User declares to be aware that the Data Controller may be required to reveal Data upon request of public authorities.
Strapi uses services delivered by Subcontractors (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies).
It always ensures that such Subcontractors provide sufficient guarantee to implement appropriate technical and organizational measures to make sure that the processing of Data complies with the Legal Framework.
The updated list of these Subcontractors may be requested from the Data Controller at any time.
The User has been informed that the Data may be shared with third parties located, or which use servers located, outside of the European Union in countries whose data protection laws differ from those of the European Union.
In these cases, Strapi ensures that the User is informed and that this transfer is performed in compliance with the applicable regulations and guarantees a sufficient level of protection to the privacy and fundamental rights of persons in keeping with the Regulations (in particular via the standard contractual clauses of the European Commission).
You can contact us for any question or request for additional information related to these transfers.
The Data Controller processes the Data in a proper manner and shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.
We have security measures in place to help protect against the unauthorized access of personally identifiable information under our control. We utilize both online and offline security methods, including firewalls, passwords and restricted physical access to the places where your information is stored to help protect personally identifiable information. Our staff is trained to comply with our security procedures, and our security procedures are regularly reviewed and revised as We deem necessary.
The Data is kept for:
- the time necessary to provide the Services or goods to the User;
- for a period of 3 years after:
- the last period of inactivity on the User account;
- or the last contact made by the User with the Data controller;
- or any other duration Strapi must comply with, as provided by French law (for example: 10 years for accounting documents).
- under Internet Explorer: You can block cookies by using the parameters to change the processing of cookies by clicking on “Tools”, “Internet Options”, “Confidentiality” and then on the button “Advanced”;
- on Firefox: You can block all cookies by clicking on “Tools”, “Options”, “Privacy”, selecting “Use custom settings for history” from the drop-down menu and de-selecting “Accept third-party cookies”;
- on Chrome: You can block app cookies by clicking on “Personalise and control”, then “Parameters”, “Display advanced parameters” and “Content parameters” “Cookies and site data” under the heading “Cookies”.
The User's Data may also be used for legal purposes by the Data Controller, for the duration of the dispute, in Court or in the stages leading to possible legal action arising from an improper use of the Services or the related services by the User.
Collection of information from minors
The Services are intended for a general audience and are not intended for children under the age of 15. Use of the Services is prohibited for anyone under the age of 15. If you are under 15, you must secure authorization from your parents or legal guardian before using the Services. Although the Services may contain information that may be of interest to children, the Services are not directed at children and We do not knowingly collect or solicit Personal information from children under the age of 15.
Analytics and Cookies
The Services contained in this section enable the Data Controller to monitor and analyze web traffic and can be used to keep track of User behavior.
Google Analytics (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. ("Google"). Google uses the Data collected to track and examine the use of the Services, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
Personal Data collected: Cookie and Usage data.
Place of processing: USA
Displaying content from external platforms
These services allow you to view content hosted on external platforms directly from the pages of the Services and interact with them.
If a service of this kind is installed, it may still collect web traffic data for the pages where the service is installed, even when Users do not use it.
Google Fonts (Google Inc.)
Google Fonts is a typeface visualization service provided by Google Inc. that allows the Services to incorporate content of this kind on its pages.
Place of processing: USA
Registration and authentication
By registering or authenticating, Users allow the Services to identify them and give them access to dedicated Services.
Depending on what is described below, third parties may provide registration and authentication services.
In this case, the Services will be able to access some Data, stored by these third-party services, for registration or identification purposes.
Content commenting services allow Users to make and publish their comments on the contents of the Services.
Depending on the settings chosen by the Data controller, Users may also leave anonymous comments. If there is an email address among the Data provided by the User, it may be used to send notifications of comments on the same content. Users are responsible for the content of their own comments.
If a content commenting service provided by third parties is installed, it may still collect web traffic data for the pages where the comment service is installed, even when Users do not use the content commenting service.
Disqus is a content commenting service provided by Big Heads Labs Inc.
Place of processing: USA
Mailchimp is an email address management and message sending service provided by Mailchimp Inc.
Personal Data collected: Email address.
Place of processing: USA
System Logs and Maintenance
For operation and maintenance purposes, the Services and any third-party services may collect files that record interaction with the Services (System Logs) or use for this purpose other Data (such as IP addresses).
A cookie is a small information file saved by a website on the User’s computer. The cookie can be re-used during a future visit to the same website but cannot be read by any other website than the one that created it. Most cookies are only valid for the duration of a session or visit.
No cookie can contain information that allows the User to be contacted by telephone, email or post.
Most browsers are set to accept cookies automatically; however it is possible for the User to configure their browser to be informed each time a cookie is created or to prevent them for being saved.
If You do not want the Websites to store cookies on your computer, You have the choice to block the cookies (in other words configure your browser to refuse all cookies) and/or delete the cookies that have already been placed on your computer:
More details concerning the collection or processing of Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.
The rights of Users
Users have the right, at any time, to know whether their Data has been stored and can consult the Data Controller to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, to refuse their treatment for certain purposes, to limit the processing, to set instructions for preserving, erasing and communicating their Data after their death as well as the right to the portability of their Data.
Requests should be sent to the Data Controller at the contact information set out above.
You have the right to lodge a complaint with the responsible monitoring authority (in France, the CNIL) or to obtain remedies from the competent courts if you think that We have not respected your rights.
“Data” or “Personal information” shall have the same meaning than set forth under article 4 of the GDPR and shall mean “any information relating to an identified or identifiable natural person […] ; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The individual using the Services (paid subscription or free subscription) or visiting the Websites, which must coincide with or be authorized by the data subject, to whom the Data refers.
The natural person, legal person, public administration or any other body, association or organization with the right, also jointly with another Data Controller, to make decisions regarding the purposes, and the methods of processing of Personal Data and the means used, including the security measures concerning the operation and use of the Services. The Data Controller, unless otherwise specified, is the Owner of the Services.
Latest update: September 5, 2018